The Russian threat actor regarded as Shuckworm has ongoing its cyber assault spree towards Ukrainian entities in a bid to steal delicate data from compromised environments.
Targets of the latest intrusions, which started in February/March 2023, contain security companies, armed service, and governing administration organizations, Symantec reported in a new report shared with The Hacker Information.
“In some scenarios, the Russian team succeeded in staging very long-functioning intrusions, long lasting for as long as 3 months,” the cybersecurity enterprise reported.
“The attackers continuously attempted to access and steal sensitive information and facts these as stories about the fatalities of Ukrainian assistance customers, reviews from enemy engagements and air strikes, arsenal stock reports, coaching reviews, and far more.”
Shuckworm, also identified by the names Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder, is attributed to the Russia’s Federal Security Services (FSB). It’s claimed to be lively considering the fact that at minimum 2013.
The cyber espionage activities consist of spear-phishing strategies that are made to entice victims into opening booby-trapped attachments, which in the long run direct to the deployment of facts stealers this kind of as Giddome, Pterodo, GammaLoad, and GammaSteel on infected hosts.
“Iron Tilden sacrifices some operational security in favor of large tempo functions, which means that their infrastructure is identifiable via frequent use of particular Dynamic DNS companies, Russian hosting suppliers, and distant template injection strategies,” Secureworks notes in its profile of the menace actor.
In the newest set of attacks detailed by Symantec, the danger actors have been observed employing a new PowerShell script to propagate the Pterodo backdoor by using USB drives.
Though Shuckworm’s use of Telegram channels to retrieve the IP deal with of the server hosting the payloads is effectively documented, the danger actor is claimed to have expanded the technique to store command-and-manage (C2) addresses on Telegraph, a running a blog platform owned by Telegram.
Also made use of by the group is a PowerShell script (“foto.harmless”) which is unfold as a result of compromised USB motorists and attributes capabilities to down load additional malware onto the host.
Approaching WEBINAR🔐 Mastering API Security: Understanding Your Legitimate Attack Floor
Find out the untapped vulnerabilities in your API ecosystem and acquire proactive steps in the direction of ironclad security. Be a part of our insightful webinar!
Join the Session.wn-button,.wn-label,.wn-label:aftershow:inline-block.look at_two_webinarmargin:20px 10px 30px 0background:#f9fbffcolor:#160755padding: 5%border:2px stable #d9deffborder-radius:10pxtext-align:leftbox-shadow:10px 10px #e2ebff-webkit-border-top rated-still left-radius:25px-moz-border-radius-topleft:25px-webkit-border-bottom-right-radius:25px-moz-border-radius-bottomright:25px.wn-labelfont-dimension:13pxmargin:20px 0font-fat:600letter-spacing:.6pxcolor:#596cec.wn-label:soon afterwidth:50pxheight:6pxcontent:”border-best:2px strong #d9deffmargin: 8px.wn-titlefont-dimension:21pxpadding:10px 0font-weight:900text-align:leftline-peak:33px.wn-descriptiontextual content-align:leftfont-dimension:15.6pxline-height:26pxmargin:5px !importantcolor:#4e6a8d.wn-buttonpadding:6px 12pxborder-radius:5pxbackground-colour:#4469f5font-size:15pxcolor:#fff!importantborder:0line-peak:inherittext-decoration:none!importantcursor:pointermargin:15px 20pxfloat:leftfont-pounds:500letter-spacing:.2px
A more investigation of intrusions shows that the adversary managed to breach the equipment of human methods departments of the qualified businesses, suggesting its tries to glean details about many persons working at individuals entities.
The conclusions are nonetheless one more indicator of Shuckworm’s ongoing reliance on shorter-lived infrastructure and its ongoing evolution of strategies and tools to stay in advance of the detection curve.
They also get there a day soon after Microsoft lose mild on harmful assaults, espionage, and information functions carried out by one more Russian nation-state actor recognized as Cadet Blizzard targeting Ukraine.
“This activity demonstrates that Shuckworm’s relentless concentration on Ukraine proceeds,” Symantec explained. “It looks crystal clear that Russian nation-condition-backed attack teams keep on to laser in on Ukrainian targets in attempts to uncover data that may probably aid their military services operations.”
Discovered this post attention-grabbing? Follow us on Twitter and LinkedIn to read through much more unique articles we publish.
Some parts of this article are sourced from:
thehackernews.com